Administration tasks consist mostly of incidents, (non)standard changes and monitoring where this blog focusses on monitoring in Office 365. An administrator should proactively monitor the Office 365 environment for alerts and issues. There are a lot of different sources that can trigger an alert where each type of alert should have a process attached to it (there may be additional sources that an administrator should look at, please let me know in a comment or mail and I will update this post). An administrator should for example know who to contact when a DLP alert occurred.

Administration tasks can be categorized in for example daily, weekly and biweekly but this depends on the governance and policy of the organization.

Daily

Daily tasks are mostly tasks that needs to be acted on directly. These are mostly alerts or notifications that are sent to for example a shared mailbox. Processes should be in place to describe the correct way to follow up on the different notifications or alerts.

Service health report

The service health report provided by Microsoft shows incidents and advisories for the different functionalities or products in Office 365. It is possible to build a dashboard in Azure or Power BI that shows this information on a TV screen as you normally won’t notice this until an user reports an issue. The direct link is https://admin.microsoft.com/Adminportal/Home#/servicehealth

clip_image002

It is currently possible to schedule an alert when you are in the targeted release group. This means you will instantly receive an alert when an incident or advisory has been added. You can schedule this at the same location where you will receive a “Preference” button.

clip_image004

Notifications should be acted on based on a documented process.

Message center

The message center gives you a high-level overview of a planned change and how it may affect your users, and links out to more detailed information to help you prepare. The direct link is https://admin.microsoft.com/Adminportal/Home#/MessageCenter

clip_image005

Messages should be read at least weekly, but it is also possible to schedule notifications with major updates or data privacy messages.

clip_image007

Security & Compliance alerts

It depends on the license what you will see but there is an admin portal for security, an admin portal for compliance and an admin portal for security & compliance. The actual alerts are stored at the security & compliance center with the direct link of https://protection.office.com/viewalerts.

clip_image009

These are alerts of anomalies in for example SharePoint Online and Exchange Online and you can create your own alerts. Each policy will by default be sent to administrators but you can also add a custom mail address by editing each alert policy.

clip_image011

clip_image013

There may be false positives so you will have to tweak the alerts to your preferences, but each alert should be acted on and set to solved in the portal.

Microsoft Cloud App Security (MCAS) alerts

MCAS is an E5 functionality that uses machine learning and analytical techniques to detect anomalies in your Office 365 tenant. You can find for example login activity from infrequent country or when someone credentials may be leaked.

clip_image014

MCAS is build on alert policies where each alert policy should be edited to include a mail address

clip_image015

clip_image017

Data loss / leak prevention alerts

It’s advisable to have at least a PII DLP policy active which helps to be GDPR compliant. DLP alerts show when a user sent data to someone outside your organization that contains for example PII. It depends on the organization and country which PII you should monitor where you can create your own policy. Administrators should monitor these alerts closely and use the correct process so actions can be taken quickly. The direct link is https://compliance.microsoft.com/datalossprevention

clip_image019

You can change the policy to sent a mail to for example a shared mailbox.

clip_image021

Weekly tasks

Message center

The message center gives you a high-level overview of a planned change and how it may affect your users, and links out to more detailed information to help you prepare. The direct link is https://admin.microsoft.com/Adminportal/Home#/MessageCenter

clip_image005[1]

Messages should be read at least weekly and a process should be in place to notify the correct key user when for example something changes in Microsoft Teams.

clip_image007[1]

Select ‘Send a weekly e-mail digest of my messages’

Risky users and risky sign-ins

You should check the alerts for risky users and sign-ins if you have the license. This functionality can be found at the AAD portal https://aad.portal.azure.com

clip_image022

It is advisable to weekly clean up this list so there is no back log. Administrators receive an email by default, but it is possible to add additional users for a weekly mail digest.

clip_image024

Processes should be set in place based on the risk level and type. It is possible to also create actions based on the risk level, but this can increase the incidents for administrators should there be a lot of false positives.

Admin role changes

It is best practices to have at least 2 to 4 global administrators in your Office 365 tenant. Each global admin can change roles for users where someone needs to monitor these changes to verify it isn’t being abused. You can verify this using a script, but this will be a snapshot and a global administrator can grant access for 1 hour and then revoke it with only the audit log to prove it in 30 days. The direct link to the audit log is at https://protection.office.com/unifiedauditlog

clip_image026

Search for role administration activities and in particular added and removed members from a role

clip_image028

Security & compliance report

It’s a daily task to verify alerts being produced by the security and compliance center but it’s also advisable to verify the security & compliance dashboard for any differences in spoof, spam or malware detections. The direct link is https://protection.office.com/insightdashboard

clip_image030

clip_image032

Any spikes in the graphs should be looked in to.

New and removed users including licenses

It’s possible that users are being provisioned using a third-party tool, so administrators don’t know how many users are being created weekly or monthly and if there are enough licenses available for these users. You can also verify if strange user accounts have been created during the week. This information is also being retrieved using the audit log at https://protection.office.com/unifiedauditlog

clip_image026[1]

Note that the start and end date is only for a week as it may take some time for the search to complete.

clip_image034

Select at least the added or deleted user.

You can also verify at https://admin.microsoft.com/Adminportal/Home#/licenses if there are enough licenses available.

clip_image036

There should be a process in place where the administrator can ask for additional licenses if needed.

App registrations

We advise to disable app registration to members, but this is enabled by default and should then be monitored closely. A registered app can for example retrieve/use or alter user data and may read the mailbox or sent on behalf of the user. The direct link is https://aad.portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AllApps/menuId/

clip_image038

These apps should be verified and removed should they be not allowed in the organization. You can use Microsoft Cloud App Security for a better view of these applications and their risk level.

clip_image040

Note that you will need to connect to your office 365 tenant.

Biweekly tasks

Baseline

I have created a few pages which contain security related settings that can be added to a baseline.

Azure Active Directory
Exchange Online
SharePoint Online
Power Automate and PowerApps
Office 365 Advanced Threat Protection
Office 365 Security & Compliance
Power BI
Microsoft Teams

It is advisable to verify that these settings haven’t been changed in the past two weeks and are still compliant with the baseline. You can use PowerShell or other scripting languages to do this automatically. Any setting that is not compliant should be verified and reverted to the baseline if needed. An investigation can be started to verify who has changed the setting if possible.

One Comment

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.